Lucene search

DebianDEBIAN:DLA-1641-1:5BAC3

HistoryJan 25, 2019 - 7:56 a.m.

[SECURITY] [DLA 1641-1] mxml security update

2019-01-2507:56:02

lists.debian.org

7.1 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.5 Medium

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.4%

JSON

Package : mxml
Version : 2.6-2+deb8u1
CVE ID : CVE-2016-4570 CVE-2016-4571 CVE-2018-20004
Debian Bug : 825855 918007

Several stack exhaustion conditions were found in mxml that can easily
crash when parsing xml files.

CVE-2016-4570

The mxmlDelete function in mxml-node.c allows remote attackers to
cause a denial of service (stack consumption) via crafted xml file.

CVE-2016-4571

The mxml_write_node function in mxml-file.c allows remote attackers
to cause a denial of service (stack consumption) via crafted xml
file

CVE-2018-20004

A stack-based buffer overflow in mxml_write_node via vectors
involving a double-precision floating point number.

For Debian 8 "Jessie", these problems have been fixed in version
2.6-2+deb8u1.

We recommend that you upgrade your mxml packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8amd64libmxml1< 2.6-2+deb8u1libmxml1_2.6-2+deb8u1_amd64.deb
Debian8amd64libmxml-dev< 2.6-2+deb8u1libmxml-dev_2.6-2+deb8u1_amd64.deb
Debian8i386libmxml1< 2.6-2+deb8u1libmxml1_2.6-2+deb8u1_i386.deb
Debian8armhflibmxml1< 2.6-2+deb8u1libmxml1_2.6-2+deb8u1_armhf.deb
Debian8armhflibmxml-dev< 2.6-2+deb8u1libmxml-dev_2.6-2+deb8u1_armhf.deb
Debian8armellibmxml1< 2.6-2+deb8u1libmxml1_2.6-2+deb8u1_armel.deb
Debian8i386libmxml-dev< 2.6-2+deb8u1libmxml-dev_2.6-2+deb8u1_i386.deb
Debian8armellibmxml-dev< 2.6-2+deb8u1libmxml-dev_2.6-2+deb8u1_armel.deb
Debian8allmxml< 2.6-2+deb8u1mxml_2.6-2+deb8u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	amd64	libmxml1	< 2.6-2+deb8u1	libmxml1_2.6-2+deb8u1_amd64.deb
Debian	8	amd64	libmxml-dev	< 2.6-2+deb8u1	libmxml-dev_2.6-2+deb8u1_amd64.deb
Debian	8	i386	libmxml1	< 2.6-2+deb8u1	libmxml1_2.6-2+deb8u1_i386.deb
Debian	8	armhf	libmxml1	< 2.6-2+deb8u1	libmxml1_2.6-2+deb8u1_armhf.deb
Debian	8	armhf	libmxml-dev	< 2.6-2+deb8u1	libmxml-dev_2.6-2+deb8u1_armhf.deb
Debian	8	armel	libmxml1	< 2.6-2+deb8u1	libmxml1_2.6-2+deb8u1_armel.deb
Debian	8	i386	libmxml-dev	< 2.6-2+deb8u1	libmxml-dev_2.6-2+deb8u1_i386.deb
Debian	8	armel	libmxml-dev	< 2.6-2+deb8u1	libmxml-dev_2.6-2+deb8u1_armel.deb
Debian	8	all	mxml	< 2.6-2+deb8u1	mxml_2.6-2+deb8u1_all.deb